Protect against integer overflow in raster data (<rdar://problem/23131948>)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12908 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt
index 7ba00211e94404ca73ccbbdec6846aca4438d588..7c196cc836f56456e4fc4420568a3f1b26686e1e 100644 (file)
--- a/CHANGES-2.1.txt
+++ b/CHANGES-2.1.txt
@@ -3,6 +3,7 @@ CHANGES-2.1.txt
 
 CHANGES IN CUPS V2.1.1
 
+       - Security hardening fixes (<rdar://problem/23131948>)
        - The cupsGetPPD* functions did not work with IPP printers (STR #4725)
        - Some older HP LaserJet printers need a delayed close when printing
          using the libusb-based USB backend (STR #4549)

diff --git a/filter/raster.c b/filter/raster.c
index ec3033899ce9acd4228d04eef57a11d311321f99..a921433803406ae4010f79902bcda8684f27fd93 100644 (file)
--- a/filter/raster.c
+++ b/filter/raster.c
@@ -64,7 +64,7 @@ static ssize_t        cups_raster_io(cups_raster_t *r, unsigned char *buf, size_t bytes
 static unsigned        cups_raster_read_header(cups_raster_t *r);
 static ssize_t cups_raster_read(cups_raster_t *r, unsigned char *buf,
                                 size_t bytes);
-static void    cups_raster_update(cups_raster_t *r);
+static int     cups_raster_update(cups_raster_t *r);
 static ssize_t cups_raster_write(cups_raster_t *r,
                                  const unsigned char *pixels);
 static ssize_t cups_read_fd(void *ctx, unsigned char *buf, size_t bytes);
@@ -566,7 +566,8 @@ cupsRasterWriteHeader(
   memset(&(r->header), 0, sizeof(r->header));
   memcpy(&(r->header), h, sizeof(cups_page_header_t));
 
-  cups_raster_update(r);
+  if (!cups_raster_update(r))
+    return (0);
 
  /*
   * Write the raster header...
@@ -682,7 +683,8 @@ cupsRasterWriteHeader2(
 
   memcpy(&(r->header), h, sizeof(cups_page_header2_t));
 
-  cups_raster_update(r);
+  if (!cups_raster_update(r))
+    return (0);
 
  /*
   * Write the raster header...
@@ -1015,11 +1017,12 @@ cups_raster_read_header(
   * Update the header and row count...
   */
 
-  cups_raster_update(r);
+  if (!cups_raster_update(r))
+    return (0);
 
   DEBUG_printf(("4cups_raster_read_header: cupsBitsPerPixel=%u, cupsBitsPerColor=%u, cupsBytesPerLine=%u, cupsWidth=%u, cupsHeight=%u, r->bpp=%d", r->header.cupsBitsPerPixel, r->header.cupsBitsPerColor, r->header.cupsBytesPerLine, r->header.cupsWidth, r->header.cupsHeight, r->bpp));
 
-  return (r->header.cupsBitsPerPixel != 0 && r->header.cupsBitsPerColor != 0 && r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0 && (r->header.cupsBytesPerLine % r->bpp) == 0);
+  return (r->header.cupsBitsPerPixel > 0 && r->header.cupsBitsPerPixel <= 240 && r->header.cupsBitsPerColor > 0 && r->header.cupsBitsPerColor <= 16 && r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0 && (r->header.cupsBytesPerLine % r->bpp) == 0);
 }
 
 
@@ -1219,7 +1222,7 @@ cups_raster_read(cups_raster_t *r,        /* I - Raster stream */
  *                          current page.
  */
 
-static void
+static int                             /* O - 1 on success, 0 on failure */
 cups_raster_update(cups_raster_t *r)   /* I - Raster stream */
 {
   if (r->sync == CUPS_RASTER_SYNCv1 || r->sync == CUPS_RASTER_REVSYNCv1 ||
@@ -1300,6 +1303,10 @@ cups_raster_update(cups_raster_t *r)     /* I - Raster stream */
           r->header.cupsNumColors = r->header.cupsColorSpace -
                                    CUPS_CSPACE_DEVICE1 + 1;
          break;
+
+      default :
+          /* Unknown color space */
+          return (0);
     }
   }